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IN THE CLAIMS: 



1 . (original) A method of proving entity membership in a nested group, wherein a 
presenter of credentials performs the step of presenting to a recipient of credentials one or 
more chains of groi p credentials. 

2. (original) T le method of claim 1, wherein one of said chains of group credentials 
comprise one or moce proofs of group membership. 



3. (original) Th4 method of claim 2, wherein said proofs of group membership 
comprise one or more\group membership certificates. 

4. (original) The Aiethod of claim 2, wherein said proofs of group membership 
comprise one or more group membership lists. 



5. (original) The mlpthod of claim 1, wherein one of said chains of group credentials 
comprise one or more proofs of group non-membership. 

6. (original) The method of claim 5, wherein said proofs of group non-membership 
comprise one or more group non-membership certificates. 



7. (original) The method of claim 5, wherein said proofs of group non-membership 
comprise one or more groiip membership lists. 



8. (original) The methpd of claim 1, wherein said recipient is a resource server. 



9. (original) The method of claim 1, wherein said recipient is an on-line group 
server. 
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10. (origiijfal) The method of claim 1, wherein said recipient is an on-line revocation 
server. 

1 1 . (original^) The method of claim 1, wherein said recipient is a client. 

12. (original)! A method of proving entity non-membership in a nested group, 
wherein a presenter of credentials performs the step of presenting to a recipient of cre- 
dentials one or mare chains of group credentials. 

13. (original) The method of claim 12, wherein one of said chains of group creden- 
tials comprise one or more proofs of group membership. 

14. (original) Tme method of claim 13, wherein said proofs of group membership 
comprise one or mone group membership certificates. 

15. (original) Thi method of claim 13, wherein said proofs of group membership 
comprise one or morelgroup membership lists. 

16. (original) The method of claim 12, wherein one of said chains of group creden- 
tials comprise one or niore proofs of group non-membership. 

17. (original) The method of claim 16, wherein said proofs of group non-membership 
comprise one or more group non-membership certificates. 

18. (original) The method of claim 16, wherein said proofs of group non-membership 
comprise one or more gromp membership lists. 



19. (original) The method of claim 12, wherein said recipient is a resource server. 
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1 20. (original) The method of claim 12, wherein said recipient is an on-line group 

2 server. 

1 21. (original) The method of claim 12, wherein said recipient is an on-line revocation 

2 server. 



1 22. (original) The method of claim 12, wherein said recipient is a client. 



1 23. (original) A computer system wherein a presenter of credentials presents to a re- 

2 cipient of credentials one or more chains of group credentials to prove entity membership 

3 in a nested group! 



1 24. (original) iThe system of claim 23, wherein one of said chains of group creden- 

2 tials comprise one pr more proofs of group membership. 

1 25. . (original) me system of claim 24, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 26. (original) The system of claim 24, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 27. (original) The system of claim 23, wherein one of said chains of group creden- 

2 tials comprise one or more proofs of group non-membership. 



1 28. (original) The system of claim 27, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 
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29. (original) The system of claim 27, wherein said proofs of group non-membership 
comprise onei or more group membership lists. 

30. (original) The system of claim 23, wherein said recipient is a resource server. 



3 1 . (original) The system of claim 23, wherein said recipient is an on-line group 
server. 



32. (original) 
server. 



The system of claim 23, wherein said recipient is an on-line revocation 



33. (original)! The system of claim 23, wherein said recipient is a client. 



34. (original) lA computer system wherein a presenter of credentials presents to a re- 
cipient of credentials one or more chains of group credentials to prove entity non- 
membership in a nested group. 

35. (original) Tlhe system of claim 34, wherein one of said chains of group creden- 
tials comprise one or more proofs of group membership. 

36. (original) Tme system of claim 35, wherein said proofs of group membership 
comprise one or mom group membership certificates. 

37. (original) The system of claim 35, wherein said proofs of group membership 
comprise one or mora group membership lists. 



38. (original) Thelsystem of claim 34, wherein one of said chains of group creden- 
tials comprise one or lAore proofs of group non-membership. 
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1 39. (original) The system of claim 38, wherein said proofs of group non-membership 

2 comprise one cm: more group non-membership certificates. 



1 40. (original\ The system of claim 38, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 



1 41. (original) 



1 42. (original) 



2 server. 



rhe system of claim 34, wherein said recipient is a resource server. 



rhe system of claim 34, wherein said recipient is an on-line group 



43. (original) 'ihe system of claim 34, wherein said recipient is an on-line revocation 
2 server. 



1 44. (original) The system of claim 34, wherein said recipient is a client. 

1 45. (original) A method of operating a client device on a computer network, said cli- 

2 ent device requesting a service from a server and performing the steps of: 

3 A. obtaining one or more chains of group credentials to prove client membership 

4 in a nested group, and 

5 B. presenting ti the server a request for the service, said request including the 

6 chains of group credentials. 

1 46. (original) The niethod of claim 45, wherein one of said chains of group creden- 

2 tials comprise one or more proofs of group membership. 



1 47. (original) The method of claim 46, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 
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1 48. (original) The method of claim 46, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 49. (original) The method of claim 45, wherein one of said chains of group creden- 

2 tials compriselone or more proofs of group non-membership. 

1 50. (original) The method of claim 49, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 




1 51. (original) The method of claim 49, wherein said proofs of group non-membership 

2 comprise one onmore group membership lists. 



52. (original)! A method of operating a client device on a computer network, said cli- 
ent device requesttng a service fi'om a server and performing the steps of: 

A. obtaining one or more chains of group credentials to prove client non- 
membership in a nested group, and 

B. presenting to the server a request for the service, said request including the 
chains of group credentials. 



1 53. (original) The method of claim 52, wherein one of said chains of group creden- 

2 tials comprise one or piore proofs of group membership. 

1 54. (original) The hiethod of claim 53, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 



1 55. (original) The niethod of claim 53, wherein said proofs of group membership 

2 comprise one or more group membership lists. 
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56. (original) The method of claim 52, wherein one of said chains of group creden- 
tials compriselone or more proofs of group non-membership. 

57. (original) The method of claim 56, wherein said proofs of group non-membership 
comprise one oAmore group non-membership certificates. 

58. (original)! The method of claim 56, wherein said proofs of group non-membership 
comprise one or more group membership lists. 



59. (original) W client device on a computer network requesting a service from a 
server, said client flevice comprising: 

A. means ror obtaining one or more chains of group credentials to prove client 
membership in a nepted group, and 

B. means for presenting to the server a request for the service, said request in- 
cluding the chains o group credentials. 



60. (original) THe 
dentials comprise on(; 

61. (original) The 
ship comprise one or 



client device of claim 59, wherein one of said chains of group cre- 
or more proofs of group membership. 

client device of claim 60, wherein said proofs of group member- 
ore group membership certificates. 



62. (original) The client device of claim 60, wherein said proofs of group member- 
ship comprise one or niore group membership lists. 



63. (original) The client device of claim 59, wherein one of said chains of group cre- 
dentials comprise one on more proofs of group non-membership. 
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64. (original) 
membership 



The client device of claim 63, wherein said proofs of group non- 
comptrise one or more group non-membership certificates. 



65. (original) The client device of claim 63, wherein said proofs of group non- 
membership comprise one or more group membership lists. 

66. (original) A client device on a computer network requesting a service from a 
server, said client device comprising: 

A. means for obtaining one or more chains of group credentials to prove client 
non-membership in a nested group, and 

B. means for presenting to the server a request for the service, said request in- 
cluding the chains of group credentials. 

67. (original) The dlient device of claim 66, wherein one of said chains of group cre- 
dentials comprise one or more proofs of group membership. 

68. (original) The client device of claim 67, wherein said proofs of group member- 
ship comprise one or more group membership certificates. 

69. (original) The client device of claim 67, wherein said proofs of group member- 
ship comprise one or mora group membership lists. 

70. (original) The client device of claim 66, wherein one of said chains of group cre- 
dentials comprise one or more proofs of group non-membership. 



71. (original) The clienti device of claim 70, wherein said proofs of group non- 
membership comprise one or more group non-membership certificates. 
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) The client device of claim 70, wherein said proofs of group non- 
cottiprise one or more group membership lists. 



(ont 



73. (original) 
resource server 
vices and 

A. accep 
prising one or 
group, 

B. validating 

C. if the 



A method for operating a resource server on a computer network, said 
itroUing access to one or more resources by a plurality of client de- 
perfonjiing the steps of: 

ing resource access requests from the client devices, each request com- 
more chains of group credentials proving client membership in a nested 



the chains of group credentials, and 
ihains of group credentials are valid, authorizing the requested access. 



74. (original) The method of claim 73, wherein one of said chains of group creden- 
tials comprise one! or more proofs of group membership. 



75. (original) The method of claim 74, wherein said proofs of group membership 
comprise one or m^re group membership certificates. 



76. (original) the 
comprise one or more 



method of claim 74, wherein said proofs of group membership 
group membership lists. 



77. (original) The method of claim 73, wherein one of said chains of group creden- 



tials comprise one or 



78. (original) 
comprise one or 



more proofs of group non-membership. 



Tm method of claim 77, wherein said proofs of group non-membership 
mofle group non-membership certificates. 



79. (original) Thp method of claim 77, wherein said proofs of group non-membership 
comprise one or more group membership Hsts. 
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80. (original) A method of operating a resource server on a computer network, said 
resource servjer controlling access to one or more resources by a plurality of client de- 
vices and performing the steps of: 

A. acaepting resource access requests from the client devices, each request com- 
prising one or pore chains of group credentials proving client non-membership in a 
nested group, 

B. validating the chains of group credentials, and 

C. if the chains of group credentials are valid, authorizing the requested access. 

81. (original) The method of claim 80, wherein one of said chains of group creden- 
tials comprise om or more proofs of group membership. 

82. (original) iThe method of claim 81, wherein said proofs of group membership 
comprise one or more group membership certificates. 

83. (original) Ine method of claim 81, wherein said proofs of group membership 
comprise one or more group membership lists. 

84. (original) The method of claim 80, wherein one of said chains of group creden- 
tials comprise one or more proofs of group non-membership. 

85. (original) The method of claim 84, wherein said proofs of group non-membership 
comprise one or more group non-membership certificates. 



86. (original) The method of claim 84, wherein said proofs of group non-membership 
comprise one or more group membership lists. 
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1 87. (original) A resource server on a computer network controlling access to one or 

2 more resources by a plurality of client devices, said resource server comprising: 

3 A. means for accepting resource access requests from the client devices, each re- 

4 quest comprising one or more chains of group credentials proving client membership in a 

5 nested group, 

6 B. meails for validating the chains of group credentials, and 

7 C. if thejchains of group credentials are valid, means for authorizing the re- 

8 quested access. 

1 88. (original) The resource server of claim 87, wherein one of said chains of group 

2 credentials comprise one or more proofs of group membership. 

1 89. (original) The resource server of claim 88, wherein said proofs of group member- 

2 ship comprise one pr more group membership certificates. 

1 90. (original) Tne resource server of claim 88, wherein said proofs of group member- 

2 ship comprise one or more group membership lists. 

1 91. (original) The resource server of claim 87, wherein one of said chains of group 

2 credentials comprise one or more proofs of group non-membership. 



1 92. (original) The 

2 membership comprise 



resource server of claim 91, wherein said proofs of group non- 
one or more group non-membership certificates. 



1 93. (original) The "esource server of claim 91, wherein said proofs of group non- 

2 membership comprise one or more group membership lists. 



1 94. (original) A resource 

2 more resources by a plutality 



server on a computer network controlling access to one or 
ity of client devices, said resource server comprising: 
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3 A. means for accepting resource access requests from the client devices, each re- 

4 quest comprising ope or more chains of group credentials proving client non-membership 

5 in a nested group, 

6 B. means foA validating the chains of group credentials, and 

7 C. if the chaii^s of group credentials are valid, means for authorizing the re- 

8 quested access. 



1 95. (original) Then 

2 credentials comprise one 



ource server of claim 94, w^herein one of said chains of group 
or more proofs of group membership. 



1 96. (original) The 

2 ship comprise one or mor 



resource 



server of claim 95, v^herein said proofs of group member- 
2 group membership certificates. 



1 97. (original) The resource server of claim 95, wherein said proofs of group member- 

2 ship comprise one or mora group membership lists. 



1 98. (original) The resource server of claim 94, wherein one of said chains of group 

2 credentials comprise one orVmore proofs of group non-membership. 

1 99. (original) The resource server of claim 98, wherein said proofs of group non- 

2 membership comprise one or more group non-membership certificates. 

1 100. (original) The resource server of claim 98, wherein said proofs of group non- 

2 membership comprise one or niore group membership lists. 



1 101. (original) A computer djata signal embodied in a carrier wave and representing a 

2 sequence of instructions that, wlien executed by a processor in a network device request- 

3 ing a service from a server, conligures the network device to operate as a client device 

4 that: 
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5 A. obtains one or more chains of group credentials to prove client membership in 

6 a nested group, and 

7 B. presents :o the server a request for the service, said request including the 

8 chains of group cre( lentials. . 



1 102. (original) 

2 group credentials < 



1 103. (original) 

2 membership compifise 



llhe computer data signal of claim 101, wherein one of said chains of 
comprise one or more proofs of group membership. 



The 



computer data signal of claim 102, wherein said proofs of group 
ise one or more group membership certificates. 



1 104. (original) 

2 membership comptfise 



105. (original) 



';Tie 



computer data signal of claim 102, wherein said proofs of group 
ise one or more group membership lists. 



he computer data signal of claim 101, wherein one of said chains of 



group credentials comprise one or more proofs of group non-membership. 



The 



106. (original) Tlie computer data signal of claim 105, wherein said proofs of group 
non-membership comprise one or more group non-membership certificates. 



1 107. (original) The computer data signal of claim 105, wherein said proofs of group 

2 non-membership comprise one or more group membership lists. 



1 108. (original) A 

2 sequence of instructibns 

3 ing a service from a s 

4 that: 

5 A. obtains 

6 membership in a nested 



omputer data signal embodied in a carrier wave and representing a 
that, when executed by a processor in a network device request- 
server, configures the network device to operate as a client device 



one 



or more chains of group credentials to prove client non- 
group, and 
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7 B. presents to the server a request for the service, said request including the 

8 chains of group credermiais. 

1 109. (original) The iomputer data signal of claim 108, wherein one of said chains of 

2 group credentials comprise one or more proofs of group membership. 

1 110. (original) The computer data signal of claim 109, wherein said proofs of group 

2 membership comprise one or more group membership certificates. 

1 111. (original) The computer data signal of claim 109, wherein said proofs of group 

2 membership comprise one or more group membership lists. 

1 112. (original) The computer data signal of claim 108, wherein one of said chains of 

2 group credentials comprise one or more proofs of group non-membership. 

1 113. (original) The conlputer data signal of claim 112, wherein said proofs of group 

2 non-membership compriselone or more group non-membership certificates. 

1 114. (original) The computer data signal of claim 112, wherein said proofs of group 

2 non-membership comprise one or more group membership lists. 

1 115. (original) A computer data signal embodied in a carrier wave and representing a 

2 sequence of instructions that] when executed by a processor in a network device control- 

3 ling access to one or more resources by a plurality of client devices, configures the net- 

4 work device to operate as a rasource server that: 

5 A. accepts resource aicess requests from the client devices, each request com- 

6 prising one or more chains of group credentials proving client membership in a nested 

7 group, 

8 B. validates the chains of group credentials, and 
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C. if tne\ chains of group credentials are valid, authorizes the requested access. 

116. (original)\The computer data signal of claim 115, wherein one of said chains of 
group credentials comprise one or more proofs of group membership. 

1 17. (original) Tne computer data signal of claim 1 16, wherein said proofs of group 
membership comprise one or more group membership certificates. 



118. (original) Thi 



computer data signal of claim 1 16, wherein said proofs of group 



membership comprise one or more group membership lists. 

119. (original) Thel computer data signal of claim 115, wherein one of said chains of 
group credentials comprise one or more proofs of group non-membership. 

120. (original) The computer data signal of claim 1 19, wherein said proofs of group 
non-membership comprke one or more group non-membership certificates. 

121 . (original) The computer data signal of claim 1 19, wherein said proofs of group 
non-membership comprise one or more group membership lists. 



122. (original) A computer data signal embodied in a carrier wave and representing a 
sequence of instructions that, when executed by a processor in a network device control- 
ling access to one or more resources by a plurality of cUent devices, configures the net- 
work device to operate as a resource server that: 

A. accepts resource access requests from the client devices, each request com- 
prising one or more chains oi^ group credentials proving client non-membership in a 
nested group, 

B. validates the chaink of group credentials, and 

C. if the chains of gro\ip credentials are valid, authorizes the requested access. 
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123. (original) \The computer data signal of claim 122, wherein one of said chains of 
group credentials comprise one or more proofs of group membership. 

124. (original) The computer data signal of claim 123, wherein said proofs of group 
membership comprise one or more group membership certificates. 

125. (original) The computer data signal of claim 123, wherein said proofs of group 
membership comprise one or more group membership lists. 

126. (original) Thel computer data signal of claim 122, wherein one of said chains of 
group credentials comprise one or more proofs of group non-membership. 

127. (original) The apmputer data signal of claim 126, wherein said proofs of group 
non-membership comprise one or more group non-membership certificates. 

1 128. (original) The computer data signal of claim 126, wherein said proofs of group 

2 non-membership comjprise one or more group membership lists. 
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